The present disclosure provides techniques for calculating an entity's cybersecurity risk based on identified relationships between the entity and one or more vendors. Customer/vendor relationships may impact the cybersecurity risk for each of the parties involved because a security compromise of a downstream or upstream provider can lead to a compromise of multiple other companies. For example, if organization A uses B (e.g., a cloud service provider) to store files, and B is compromised, this may lead to organization A being compromised (e.g., the files organization A stored using B may have been compromised by the breach of B's cybersecurity). Embodiments of the present disclosure further provide a technique for calculating a cybersecurity risk score for an organization based on identified customer/vendor relationships.
|
19. A system for detecting cybersecurity threats to a company based on breaches of one or more vendors through non-intrusive analysis of content on one or more vendors' websites containing information that relates to the first company, the system comprising:
a memory; and
one or more processors coupled to the memory, the one or more processors configured to:
generate a candidate universal resource locator (URL) associated with a first vendor, wherein the candidate URL comprises:
first information corresponding to a website attributable to the first vendor, and
second information associated with a first company, wherein the first vendor and the first company are different, and
wherein the candidate URL is generated by combining the first information and the second information to produce the candidate URL that includes the first information as a domain of the website attributable to the first vendor and the second information as a directory or a subdomain within the domain of the website attributable to the first vendor;
validate the candidate URL, wherein the candidate URL is validated by:
determining whether the candidate URL resolves to a website of the first vendor that includes an indication the first company uses a service offered by the first vendor, wherein the indication comprises a login feature and a logo of the first company, wherein the first company accesses the service offered by the first vendor via the login feature, and wherein the first company exchanges data with the first vendor subsequent to accessing the service via the login feature;
determine a cybersecurity posture of the first vendor; and
adjust a cybersecurity risk score for the first company based, at least in part, on the cybersecurity posture of the first vendor to produce an adjusted cybersecurity risk score for the first company, wherein the adjusted cybersecurity risk score for the first company is based, at least in part, on a risk of breach of the data exchanged between the first vendor and the first company in the event of a breach of the first vendor.
1. A method for detecting cybersecurity threats to a company based on breaches of one or more vendors through non-intrusive analysis of content on one or more websites, the method comprising:
generating, by one or more processors, a candidate universal resource locator (URL) associated with a first vendor, wherein the candidate URL comprises:
first information corresponding to a website attributable to the first vendor, and
second information associated with a first company, wherein the first vendor and the first company are different, and
wherein generating the candidate URL comprises combining the first information as a domain of the website attributable to the first vendor and the second information as a directory or a subdomain of the domain of the website attributable to the first vendor;
validating, by the one or more processors, the candidate URL, wherein the validating comprises determining, by the one or more processors, if the candidate URL resolves to a website of the first vendor that includes an indication the first company uses a service offered by the first vendor, wherein the indication comprises a login feature and a logo of the first company, wherein the first company accesses the service offered by the first vendor via the login feature, and wherein the first company exchanges data with the first vendor subsequent to accessing the service via the login feature;
in response to determining the candidate URL resolves to a website of the first vendor that includes an indication the first company uses a service offered by the first vendor, determining, by the one or more processors, a cybersecurity posture for the first vendor; and
adjusting, by the one or more processors, a cybersecurity risk score for the first company based on the cybersecurity posture for the first vendor to produce an adjusted cybersecurity risk score for the first company, wherein the adjusted cybersecurity risk score for the first company is based, at least in part, on a risk of breach of the data exchanged between the first vendor and the first company in the event of a breach of the first vendor's cybersecurity.
11. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause the one or more processors to perform operations detecting cybersecurity threats to a company based on breaches of one or more vendors through non-intrusive analysis of content on one or more websites, the operations comprising:
generating a candidate universal resource locator (URL) associated with a first vendor, wherein the candidate URL comprises:
first information corresponding to a website attributable to the first vendor, and
second information associated with a first company, and wherein the first vendor and the first company are different, and
wherein the generating comprises combining the first information and the second information to produce the candidate URL that includes the first information as a domain of the website attributable to the first vendor and the second information as a directory or a subdomain within the domain of the website attributable to the first vendor;
validating, by the one or more processors, the candidate URL, wherein the validating comprises:
determining whether the candidate URL resolves to a website of the first vendor that includes an indication the first company uses a service offered by the first vendor, wherein the indication comprises a login feature and a logo of the first company, wherein the first company accesses the service offered by the first vendor via the login feature, and wherein the first company exchanges data with the first vendor subsequent to accessing the service via the login feature;
in response to determining the candidate URL resolves to a website of the first vendor that includes an indication the first company uses the service offered by the first vendor, determining a cybersecurity posture of the first vendor; and
adjusting a cybersecurity risk score for the first company based, at least in part, on the cybersecurity posture of the first vendor to produce an adjusted cybersecurity risk score for the first company, wherein the adjusted cybersecurity risk score for the first company accounts for a risk of breach of the data exchanged between the first vendor and the first company in the event of a breach of the first vendor.
2. The method of
analyzing content of the website, wherein the content of the website includes at least one of source code of the website, image content of the website, and text content of the website; and
traversing one or more links of the website to identify additional content of the website for analysis.
3. The method of
4. The method of
determining, based on the relationship between the first company and the first vendor, a risk factor that represents a likelihood a breach of the first vendor's cybersecurity will expose sensitive data of the first company; and
determining a weighting factor associated with the risk factor, wherein the cybersecurity score of the first company is determined based, at least in part, on the risk factor and the weighting factor.
5. The method of
identifying relationships between the first company and one or more additional vendors that are different from the first vendor;
determining a cybersecurity posture for each of the one or more additional vendors that have relationships with the first company; and
adjusting the cybersecurity risk score of the first company based, at least in part, on the cybersecurity postures of each of the one or more additional vendors that have relationships with the first company.
6. The method of
7. The method of
8. The method of
9. The method of
in response to a determination that the candidate URL resolves to the website of the first vendor that includes the indication the first company uses the service offered by the first vendor, generating, by the one or more processors, a plurality of additional candidate URLs, where each of the plurality of additional candidate URLs comprises the same first information as the candidate URL and different second information, and where the different second information corresponds to additional companies that are different from the first company;
determining, by the one or more processors, whether each of the plurality of additional candidate URLs resolves to a website of the first vendor that includes an indication an additional company of the additional companies uses the service offered by the first vendor; and
adjusting, by the one or more processors, a cybersecurity risk score for each of the additional companies identified as using the service offered by the first vendor based, at least in part, on the cybersecurity posture of the first vendor.
10. The method of
generating, by the one or more processors, a plurality of additional candidate URLs, wherein each of the plurality of additional candidate URLs comprises different first information and the same second information, and wherein, for each of the plurality of additional candidate URLs, the different first information corresponds to a vendor other than the first vendor;
determining, by the one or more processors, whether the plurality of additional candidate URLs resolves to a website of one of the different vendors that includes an indication the first company uses a service offered by the first vendor;
in response to determining that at least one of the plurality of additional candidate URLs resolves to a website of one of the different vendors, determining, by the one or more processors,
a cybersecurity posture for each of the different vendors; and
adjusting, by the one or more processors, the cybersecurity risk score of the first company based, at least in part, on the cybersecurity posture of each of the different vendors offering a service used by the first company.
12. The non-transitory computer-readable storage medium of
analyzing content of the website, wherein the content of the website includes at least one of source code of the website, image content included on the website, and text content of the website; and
traversing one or more links of the website to identify additional content of the website for analysis.
13. The non-transitory computer-readable storage medium of
14. The non-transitory computer-readable storage medium of
determining, based on the use of the service offered by the first vendor by the first company, a risk factor that represents whether a breach of the first vendor's cybersecurity will expose sensitive data of the first company; and
determining a weighting factor associated with the risk factor, wherein the cybersecurity score of the first company is adjusted based, at least in part, on the risk factor and the weighting factor.
15. The non-transitory computer-readable storage medium of
identifying relationships between the first company and one or more additional vendors that are different that the first vendor;
determining a cybersecurity posture for each of the one or more additional vendors that have relationships with the first company; and
adjusting the cybersecurity risk score of the first company based, at least in part, on the cybersecurity postures for each of the one or more additional vendors that have relationships with the first company.
16. The non-transitory computer-readable storage medium of
17. The non-transitory computer-readable storage medium of
18. The non-transitory computer-readable storage medium of
periodically determining whether any changes have occurred with respect to one or more previously identified relationships between the first company the one or more vendors; and
recalculating the cybersecurity risk score for the first company based on any changes that have occurred with respect to one or more previously identified relationships between the first company the one or more vendors.
20. The system of
analyzing source code of the website, image content of the website, analysis of text content of the website; and
traversing one or more links of the website to identify additional content for analysis.
21. The system of
22. The system of
determine a risk factor based on the relationship between the first company and the first vendor, wherein the risk factor that represents whether a breach of the first vendor's cybersecurity will expose sensitive data of the first company; and
determine a weighting factor associated with the risk factor, wherein the adjustment of the cybersecurity score of the first company is determined based, at least in part, on the risk factor and the weighting factor.
23. The system of
identify relationships between the first company and one or more additional vendors that are different from the first vendor;
determine a cybersecurity posture for each of the one or more additional vendors that have relationships with the first company; and
adjust the cybersecurity risk score of the first company based, at least in part, on the cybersecurity postures for each of the one or more additional vendors that have relationships with the first company.
24. The system of
|
The present application is generally related to the technical field of corporate cybersecurity technology, and more particularly to techniques for discovering organizational relationships and calculating an entity's cybersecurity risk based on discovered organizational relationships.
As the availability of access to various networks, such as the Internet, cellular data networks, etc., has increased, so too has the mobility of electronic devices. As a result of this increased mobility and access, more and more information is being stored in, and services provided through, the cloud. This has created an Internet ecosystem where corporate entities establish relationships (e.g., customer/vendor relationships, vendor/vendor relationship, etc.) with various third parties that provide cloud and other network accessible services (e.g., software-as-a-service applications, etc.) to the corporate entities. For example, many corporations use Box.com® to store and access data. Such corporations may be considered to have a customer/vendor relationship with Box.com®, where Box.com® is the vendor, and each of the corporate entities that use Box.com® are the customers. Such relationships make it difficult to assess the cybersecurity risk of an organization (e.g., because the risk may be dependent upon not only the level of cybersecurity that an organization has, but also on the level of cybersecurity that its vendors have). However, identifying these types of relationships is often difficult, as vendors do not readily provide or otherwise make their customer list available to third parties. Thus, discovering such relationships is often difficult. Further, the lack of accurate relationship information makes assessing aggregate cybersecurity risk for an organization difficult, and often inaccurate (e.g., because of unknown relationships).
Embodiments of the present disclosure provide systems, methods, and computer-readable storage media that provide non-intrusive techniques for discovering relationships between organizations (e.g., customer/vendor relationships, vendor/vendor relationships, and the like). For example, if an organization (e.g., a bank) uses cloud services provided by one or more vendors (e.g., cloud service providers), embodiments of the present disclosure provide non-intrusive techniques for discovering the existence of the relationships (e.g., a customer/vendor relationship) between the organization and each of the one or more vendors (e.g., the organization is a customer of each of the one or more vendors).
Additionally, embodiments of the present disclosure provide systems, methods, and computer-readable storage media for calculating an entity's cybersecurity risk based on discovered organizational relationships. Organizational relationships may impact the cybersecurity risk for each of the organizations involved because a security compromise of a downstream or upstream organization can lead to a compromise of multiple other organizations. As an example, if organization A uses B (e.g., a cloud service provider) to store files, and B is compromised, this may lead to organization A being compromised (e.g., the files organization A stored using B may have been compromised by the breach of B's cybersecurity). This type of cybersecurity threat may also be indirect (e.g., the breached organization does not have a direct customer/vendor relationship with the breached party). For example, if B, above, is hosted by an organization C, and then organization C is compromised, this could lead to a domino effect where multiple other organizations are compromised, such as B and/or A. In the scenarios above, it can be seen that the aggregate cybersecurity risk of A is dependent upon: 1) the level of cybersecurity that A has; and 2) the level of cybersecurity that various vendors having direct and indirect relationships with A have. Embodiments of the present disclosure provide a technique for identifying customer/vendor relationships between organizations. Additionally, embodiments of the present disclosure provide techniques for calculating a cybersecurity risk score for an organization based on identified customer/vendor relationships of the organization.
The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the embodiments will be described hereinafter which form the subject of the claims of the present disclosure. It should be appreciated by those skilled in the art that the conception and specific embodiment disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present disclosure. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the scope of the present disclosure as set forth in the appended claims. The novel features which are believed to be characteristic of the embodiments, both as to its organization and method of operation, together with further objects and advantages will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present invention.
For a more complete understanding of the present invention, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
An entity's knowledge of its cybersecurity risks, as well as those of its current, former, and potential future business partners, such as any vendors that may provide services to the entity, may serve as strategic information used to guide the entity's cybersecurity and business decisions. To provide an accurate picture of an entity's cybersecurity risk, the concepts and embodiments described herein involve discovering organizational relationships between the entity and other organizations (e.g., the entity's vendors, the entity's customers, etc.). Non-intrusive data collection involves collecting data from a source for which permission from the entity whose cybersecurity risk is calculated is not required. In contrast, intrusive data collection involves collecting data from a source for which permission from the entity whose cybersecurity risk is calculated is required. Embodiments of the present disclosure utilize various non-intrusive techniques, described in more detail below, to collect information that would most likely not be accessible via intrusive techniques. For example, a company may be reluctant to provide information regarding all of the vendors that it uses in its ordinary course of business, and a vendor may likewise be reluctant to provide a list of all of its customers (e.g., for purposes of calculating a cybersecurity risk for the entity). Non-intrusive data collection techniques utilized in accordance with embodiments of the present disclosure may be employed to discover organizational relationships between various organizations, and to provide a detailed assessment of an entity's cybersecurity risk (e.g., based on discovered organizational relationships). Nevertheless, these non-intrusive data collection techniques may be used in conjunction with other data collection techniques, such as intrusive data collection techniques, to provide a requisite level of performance—depending on the objective.
The collected data is used to identify relationships between various entities to create a mapping or graph of an Internet ecosystem representing vendor/client relationships. In an embodiment, these relationships may be used to calculate or assess an aggregate cybersecurity risk for an entity. The aggregate cybersecurity risk may provide an indication of the level of cybersecurity for a target entity, and may further indicate how the entity's cybersecurity risk is affected by the entity's relationships with one or more third parties.
In an embodiment, a scorecard system may be used to calculate the cybersecurity risk score based on discovered relationships. The scorecard system may use the calculated cybersecurity risk score to determine ranking, percentile, and other detailed cybersecurity risk information about the entity, and this information may be used to determine how various relationships that the entity has with third parties impact the entity's cybersecurity risk. Additionally, the cybersecurity risk score calculated according to embodiments may provide information that may be used by third parties to assess the cybersecurity risk of the entity in connection with establishing a relationship with the entity.
As will be further discussed below, the disclosed embodiments facilitate the discovery of organizational relationships, and allow the cybersecurity risk score for an entity to be updated via real-time monitoring based on the discovered relationships. Also, the scorecard system allows the cybersecurity risk score to be determined nearly instantly, or in near real-time. As a result, an entity can use the scorecard system to track its historical performance, as well as monitoring how the entity's cybersecurity risk is impacted by third parties that have relationships with the entity, which may allow the entity to be proactive in preventing a cybersecurity threat.
Certain units described in this specification have been labeled as modules in order to more particularly emphasize their implementation independence. A module is “[a] self-contained hardware or software component that interacts with a larger system.” Alan Freedman, “The Computer Glossary” 268 (8th ed. 1998). A module may comprise a machine- or machines-executable instructions. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
Modules may also include software-defined units or instructions, that when executed by a processing machine or device, transform data stored on a data storage device from a first state to a second state. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions that may be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations that, when joined logically together, comprise the module, and when executed by the processor, achieve the stated data transformation. A module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and/or across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices.
In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of the present embodiments. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
Referring to
The communication network 120 may facilitate communication of data between the relationship server 110 and the data sources 150. The communication network 120 may also facilitate communication of data between the relationship server 110 and other servers/processors, such as entity server 130. The communication network 120 may include any type of communications network, such as a direct PC-to-PC connection, a local area network (LAN), a wide area network (WAN), a modem-to-modem connection, the Internet, a combination of the above, or any other communications network now known or later developed within the networking arts which permits two or more electronic devices to communicate.
The entity server 130 may comprise the servers which the entity 140 uses to support its operations. In some embodiments, the relationship server 110 may access the entity server 13 to collect information that may be used to calculate an entity's cybersecurity risk. The data sources 150 include the sources from which the relationship server 110 collects information to calculate and benchmark an entity's cybersecurity risk.
The entity 140 may include any organization, company, corporation, or group of individuals. For example, one entity may be a corporation with thousands of employees and headquarters in New York City, while another entity may be a group of one or more individuals associated with a website and having headquarters in a residential home.
Data sources 150 may include any source of data accessible over communication network 120. By way of example, and not limitation, one source of data can include a website associated with a company, while another source of data may be an online database of various information. In general, the data sources 150 may be sources of any kind of data, such as domain name data, social media data, multimedia data, IP address data, and the like. One of skill in the art would readily recognize that data sources 150 are not limited to a particular data source, and that any source from which data may be retrieved may serve as a data source so long as it can be accessed via the communication network 120.
With respect to user station 160, the central processing unit (“CPU”) 161 is coupled to the system bus 162. The CPU 161 may be a CPU or microprocessor, a graphics processing unit (“GPU,), and/or microcontroller that has been programmed to perform the functions of the relationship server 110, as described in more detail below with reference to
The user station 160 also comprises random access memory (RAM) 163, which can be synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), or the like. The user station 160 may utilize the RAM 163 to store the various data structures used by a software application. The user station 160 may also comprise read only memory (ROM) 164 which can be PROM, EPROM, EEPROM, optical storage, or the like. The ROM may store configuration information for booting the user station 160. The RAM 163 and the ROM 164 hold user and system data, and both the RAM 163 and the ROM 164 may be randomly accessed.
The user station 160 may also comprise an input/output (I/O) adapter 165, a communications adapter 166, a user interface adapter 167, and a display adapter 168. The I/O adapter 165 and/or the user interface adapter 167 may, in certain embodiments, enable a user to interact with the user station 160. In a further embodiment, the display adapter 168 may display a graphical user interface (GUI) associated with a software or web-based application on a display device 169, such as a monitor or touch screen.
The I/O adapter 165 may couple one or more storage devices 170, such as one or more of a hard drive, a solid state storage device, a flash drive, a compact disc (CD) drive, a floppy disk drive, and a tape drive, to the user station 160. Also, the data storage 170 can be a separate server coupled to the user station 160 through a network connection to the I/O adapter 165. The communications adapter 166 can be adapted to couple the user station 160 to a network, which can be one or more of a LAN, WAN, and/or the Internet. Therefore, in some embodiments, the cybersecurity risk assessment portal 160 may be an online portal. The user interface adapter 167 couples user input devices, such as a keyboard 171, a pointing device 172, and/or a touch screen (not shown) to the user station 160. The display adapter 168 can be driven by the CPU 161 to control the display on the display device 169. Any of the devices 161-168 may be physical and/or logical.
The concepts described herein are not limited to the architecture of user station 160. Rather, the user station 160 is provided as an example of one type of computing device that can be adapted to perform the functions of the relationship server 110 of embodiments and/or the user interface device 165. For example, any suitable processor-based device can be utilized including, without limitation, personal data assistants (PDAs), tablet computers, smartphones, computer game consoles, multi-processor servers, and the like. Moreover, the systems and methods of the present disclosure can be implemented on application specific integrated circuits (ASIC), very large scale integrated (VLSI) circuits, or other circuitry. In fact, persons of ordinary skill in the art may utilize any number of suitable structures capable of executing logical operations according to the described embodiments. Additionally, it should be appreciated that user station 160, or certain components thereof, may reside at, or be installed in, different locations within network 100.
Referring to
The gather initial data set module 210 may access information (e.g., information stored in the data storage 170) to identify a set of data that may be used passed to the template generation module 220 in connection with generation of one or more candidate URL templates. In an embodiment, the set of data may be determined using a list “S” comprising company names and a list “K” of keywords. In an embodiment, the company names identified in the list “S” and the keywords identified in list “K” may be selected from a list “T” comprising a database of all known company names and keywords. The keywords may correspond to words that have been identified as suggesting a relationship between a vendor and a company. For example, the keywords may comprise words such as “signin” and its various other permutations (e.g., “sign in,” “sign on,” “login,” “log on,” and the like), or other words indicative of an account with a vendor, such as “username,” “user name,” “password,” and the like. The keywords included in the list “K” may be indicative of a relationship (e.g., an account that a company has with a vendor), as will be described in more detail below. The companies identified in the list “S” may correspond to companies of interest (e.g., companies for which a cybersecurity risk score is desired), and/or may comprise companies that are likely to be relevant to the companies of interest (e.g., vendors of interest). In an embodiment, the companies identified in the list “S” may be identified from the list “T.” Once the gather initial data set module 210 has identified the initial set of data, it may pass the initial set of data to the template generation module 220.
The template generation module 220 may comprise one or more routines, executable by one or more processors (e.g., the CPU 161 of
For example, and referring briefly to
Referring back to
In an embodiment, the set of candidate URLs may include candidate URLs associated with different URL templates. For example, a first template may correspond to a domain and subdomain combination, such as the candidate URL “https://<company B>.genericwebsite.com” of
The template analysis module 230 may comprise one or more routines, executable by one or more processors (e.g., the CPU 161 of
In an embodiment, a threshold may be configured for use in determining whether a URL template count is indicative of an invalid URL template or a valid URL template. For example, if a count of ten or less candidate URLs for a particular URL template type indicates a high probability that the particular URL template is invalid, the threshold may be set to ten. Thus, any URL templates generated by the system 200 that have a count less than the threshold may be discarded as invalid. In an embodiment, the threshold may be set by a user of the system 200. In an additional or alternative embodiment, the threshold may be dynamically configured (e.g., by machine learning algorithms) based on historical data analysis associated with URL templates and candidate URLs. For example, when the system 200 is first operated, all URL templates may be determined to be valid, and may be explored, as described in more detail below. As a result of that analysis and exploration, the system 200 may generate historical URL template analysis information that identifies counts for various URL template and indicates whether URL templates having a particular count resulted in valid relationship information being obtained. Over time, this historical URL template analysis information may be used to dynamically configure the threshold. In an embodiment, each time a set of candidate URLs are generated for a new vendor (e.g., the first time that a vendor is associated with the first information), all templates may be counted, and explored irrespective of counts. This may be beneficial as an initial run to discover relationships for a new vendor (e.g., a vendor for which no relationship information has been previously discovered) because the potential scope in terms of relationships the new vendor may have is unknown. Thus, a relatively low count may still be indicative of a valid template, and should be explored to determine or configure the threshold for discarding URL templates. For example, if the new vendor is a startup company, the vendor may have a relatively low number of relationships. As time passes, the number of relationships the company has may increase as the vendor establishes new relationships. As this occurs, the threshold may be dynamically updated to increase threshold. Similarly, for existing vendors (e.g., vendors for which relationships have been previously discovered), the threshold may be dynamically adjusted up or down depending on whether the vendor is gaining or losing relationships. Exemplary techniques for discovering lost relationships are described in more detail below.
The template exploration module 240 may comprise one or more routines, executable by one or more processors (e.g., the CPU 161 of
Referring briefly to
In response to a determination that one or more candidate URLs correspond to valid websites of the vendor, the template exploration module 240 may analyze content of each valid website to determine whether the content includes information that is unique to the company identified by each corresponding candidate URL's second information. The presence of information that is unique to the first company within the content of a website of the vendor may indicate that a relationship exists between the company and the vendor. For example, the second candidate URL illustrated at 740 of
In an embodiment, the template exploration module 240 may further analyze the content of valid websites to determine where in the valid websites the content uniquely associated with a company is located. For example, when the content is located on a login page, this may more strongly suggest that a relationship exists than when information uniquely associated with the company is found within text in the body of the website. In an embodiment, the template exploration module 240 may store information representative of the type of content (e.g., logo, company name in text, redirect link, etc.) identified as unique to the company of interest, and the location of the content within the valid website at a database (e.g., the data storage 170 of
In an embodiment, once a candidate URL and/or template is found that resolves to a valid website that includes content unique to a particular company, the template exploration module 240 may analyze or explore the template using additional company information. For example, if the initial set of candidate URLs for a particular template only included five candidate URLs for five different companies (e.g., five different companies selected from the list “S” and/or the list “T”), the template exploration module 240 may generate additional candidate URLs (or instruct the template generation module 220 to generate the additional candidate URLs) using additional company names (e.g., candidate URLs containing second information corresponding to companies that are different from the five different companies included in the initial set of candidate URLs), and may evaluate/analyze the additional candidate URLs in the manner described above to determine whether any of the additional candidate URLs correspond to a valid website that includes content unique to one of the additional companies. This may facilitate discovery of additional relationships that the vendor has. It is noted that a company may be both a vendor, and a client. Thus, in embodiments, some of the candidate URLs may include a particular company as a vendor (e.g., associated with the first information included in the candidate URL), while other candidate URLs may include the particular company as a client (e.g., associated with the second information included in the candidate URL).
The quality control analysis module 250 may comprise one or more routines, executable by one or more processors (e.g., the CPU 161 of
The relationship analysis module 260 may comprise one or more routines, executable by one or more processors (e.g., the CPU 161 of
In an embodiment, the additional data sources module 280 may comprise one or more routines, executable by one or more processors (e.g, the processor 161 of
Social media site and job posting site analysis may be used to analyze information that employees of a company post within the social media profiles or job posting sites that may indicate a relationship between the employer and one or more vendors. For example, if a person working for a particular company posts a particular technology (e.g., SQL Server®) was used at their job, it can be deduced that the particular company has Microsoft as a vendor (e.g., because SQL Server® is a product produced by Microsoft). In an embodiment, frequency analysis may be performed in connection with such information to increase the reliability of any relationships determined from such information. For example, if a high percentage of people working at a particular company indicate that a particular technology is used at their job, this may more strongly suggest that their employer has a client/vendor relationship with the provider/manufacturer of the particular technology. Additionally, analysis of press releases may reveal information about various relationships that an entity has with one or more third party vendors.
The weighting module 270 may comprise one or more routines, executable by a processor (e.g., the processor 161 of
To date, relationship information, such as the information obtained using the techniques of the system 200 described above, has not been easily accessible, and thus, organizational relationships determined according to embodiments of the present disclosure may provide a higher degree of accuracy with respect to organizational relationships. This is because traditional techniques primarily utilized analysis of website source code, but such analysis did not often turn up information indicating the existence of a relationship between a vendor and a company, and often resulted in obtaining only a small fraction of the relationships identified according to embodiments of the system 200. Thus, embodiments of the present disclosure improve the functioning of relationship servers, such as the relationship server 110 of
In some embodiments, the system 200 may be configured to periodically refresh the relationship information. This refreshing of the relationship information may be further analyzed to discover various types of information. For example, periodically updating the relationship information may facilitate tracking the growth of companies, such as when a company is adding new relationships (e.g., relationships with new clients, or additional relationships/connections with existing clients), or the decline of companies, such as when a company is losing relationships faster than the company is adding new relationships. This may facilitate competitive market analysis (e.g., how a company is doing relative to its competitors). As another example, the refreshing of the relationship information may facilitate analysis of the health of the Internet ecosystem as discovered by the system 200 (e.g., are particular market segments adding relationships, which is a sign of good health for that segment of the Internet ecosystem, or losing relationships, which would indicate poor health for that segment of the Internet ecosystem). It is noted that the various uses for the relationship information provided herein have been provided for purposes of illustration, rather than by way of limitation, and the relationship information generated according to embodiments of the present disclosure may be used for many other purposes without departing from the scope of the present disclosure.
Referring to
Referring to
Referring to
At 610, the method 600 includes executing a first routine to generate a candidate universal resource locator (URL) associated with a first vendor. In an embodiment, the first routine may correspond to the routine of the template generation module 220 of
At 620, the method 600 includes executing a second routine to determine whether the candidate URL corresponds to a valid website of the first vendor, and, at 630, executing a third routine to analyze content of the website of the first vendor to determine whether the content includes information that is unique to the first company in response to a determination that the candidate URL corresponds to a valid website of the first vendor. In an embodiment, the second routine and/or the third routine may correspond to one or more of the routines described in connection with the template analysis module 230 and the template exploration module 240 described in connection with
At 640, the method 600 may include executing a fourth routine to determine a cybersecurity risk score for the first vendor, and, at 650, executing a fifth routine to determine a cybersecurity risk score for the first company. In an embodiment, the fourth routine and the fifth routine may correspond to the routine described in connection with the scoring module 810 of
At 660, the method 600 includes executing a sixth routine to modify the cybersecurity risk score of the first company based, at least in part, on the cybersecurity risk score of the first vendor. In an embodiment, the sixth routine may correspond to one or more of the routines described in connection with the weighting module 270 of
Referring to
The scoring module 810 may comprise one or more routines, executable by one or more processors (e.g., the CPU 161 of
In an embodiment, the weighted relationship information 272 generated by the weighting module 270, as described with reference to
In an embodiment, the weighting module 270 may be further configured to determine the weight of a relationship based on risk factors, and the scoring module 810 may generate a cybersecurity score based on the risk factors. In an embodiment, the risk factor(s) may represent the affect that, or degree to which, a breach of the vendor's cybersecurity will expose sensitive data of the company being scored. For example, if the relationship is between a company and a cloud data storage provider, a breach of the cloud storage provider's systems may expose some or all of the data stored in the cloud by the company. In such instances, the weighting module 270 may determine that a breach of the vendor's cybersecurity may potentially expose sensitive data of the company being scored, and may give that relationship more weight. Based on the risk factor(s), the weighting module 270 may determine the weight of the relationship, and scoring module 810 may modify or adjust the cybersecurity score of the company based, at least in part, on the weighting of the relationship. Thus, the weighting may account for, or indicate the risk level indicated by the risk factor. For example, in the scenario above, the risk factor may indicate a high risk level because the company is storing information at the cloud offered by the vendor, and a compromise of the vendor may result in a breach of information that the company may has stored within the cloud. If the cybersecurity risk score for the vendor is low and the risk factor indicates a high risk level, the weighting of the relationship may result in a lower cybersecurity risk score for the company. If the cybersecurity risk score for the vendor is high, the weighting factor may result in no change or only a slight decrease to the cybersecurity score of the company. In an embodiment, the risk factors and weights may be stored at the data storage 170 of
The cybersecurity risk score 812 may be provided to a third party that may be interested in the aggregate cybersecurity risk for a company (e.g., the cybersecurity risk of the company, as may be impacted by the company's relationships, whether direct or indirect, with one or more vendors). For example, when an insurance provider is assessing the cybersecurity risk of a company in connection with underwriting an insurance policy covering costs associated with breaches of information security, the insurance provider may desire to consider how any vendors that the potential insured company has relationships with, as those relationships may change how the insurance company views the cybersecurity risk of the company. For example, if the potential insured has a high level of cybersecurity, but exchanges and stores data with several vendors who have a low level of cybersecurity, the aggregate cybersecurity risk of the potential insured may be higher (e.g., greater risk) than the cybersecurity risk of the potential insured alone.
In some embodiments, the system 800 may be configured to periodically refresh the relationship information. For example, after a threshold period of time has elapsed, the system 800 may capture another snapshot of relationships between various entities using the techniques described above. This may allow the system 800 to keep the cybersecurity risk scores up-to-date with the most recent set of relationship information for each entity included in the analysis. For example, when a first snapshot is taken and the cybersecurity risk scores are calculated, a first company may have a relationship with a first vendor having poor cybersecurity, which may negatively impact the aggregate cybersecurity risk score for the first company, as described above. However, a second snapshot may be captured after some threshold time period has elapsed since the first snapshot was taken, and the information captured in the second snapshot may indicate that the first company no longer has a relationship with the first vendor, and instead has a new relationship with a second vendor having a good cybersecurity posture, which may result in the weighting and scoring modules modifying or adjusting the aggregate cybersecurity risk score for the first company to indicate an improved or higher level of cybersecurity (e.g., an improved cybersecurity risk score), and lower cybersecurity risk. In an additional or alternative embodiment, the scoring module 810 may be configured to determine the cybersecurity risk score for various entities without applying weights to the relationship information, as indicated by the arrow 864. Using relationship information, whether weighted or unweighted, to determine an entity's cybersecurity risk score may improve the accuracy of the cybersecurity risk scores by accounting for how those relationships impact the cybersecurity of the entity being scored. Thus, embodiments of the present disclosure improve the functioning of a computer programmed to determine cybersecurity risk score, and improve the technical field of assessing cybersecurity risks associated with entities. In an embodiment, the scoring module 810 may be configured to determine, at least in part, cybersecurity scores using one or more of the techniques described in commonly-owned and co-pending U.S. patent application Ser. No. 14/702,661, entitled “CALCULATING AND BENCHMARKING AN ENTITY'S CYBERSECURITY RISK SCORE,” the contents of which are incorporated herein by reference in its entirety, and then weight an entity's cybersecurity score based on the weighted relationship information and cybersecurity risk scores of the entities having relationships with the entity.
Referring to
At 910, the method 900 includes executing, by one or more processors, a first routine to generate a candidate universal resource locator (URL) associated with a first vendor. In an embodiment, the candidate URL may comprise first information corresponding to a website associated with the first vendor and second information associated with the first company, where the first vendor and the first company are different, as described with reference to
In an additional or alternative embodiment, the relationship information may be used to determine various other types of information associated with the first company and/or the first vendor, such as whether the first company or first vendor is adding new relationships, losing relationships, etc., as described above with reference to
Although the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one of ordinary skill in the art will readily appreciate from the disclosure of the present invention, processes, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein may be utilized according to the present invention. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.
Patent | Priority | Assignee | Title |
10949543, | Apr 22 2020 | NormShield, Inc. | System and method for scalable cyber-risk assessment of computer systems |
11509682, | Sep 15 2021 | NormShield, Inc | System and method for computation of ransomware susceptibility |
11522900, | May 10 2019 | Cybeta, LLC | System and method for cyber security threat assessment |
11816232, | Aug 08 2019 | Allstate Insurance Company | Privacy score |
11886598, | Apr 22 2020 | NormShield, Inc. | System and method for scalable cyber-risk assessment of computer systems |
11979427, | Sep 15 2021 | NormShield, Inc. | System and method for computation of ransomware susceptibility |
Patent | Priority | Assignee | Title |
9294498, | Dec 13 2014 | SecurityScorecard, Inc. | Online portal for improving cybersecurity risk scores |
20080270209, | |||
20090210419, | |||
20100186088, | |||
20110035287, | |||
20130212658, | |||
20140074584, | |||
20140337973, | |||
20150154156, | |||
20150207813, | |||
20150229664, | |||
20170048267, | |||
20170078308, | |||
WO2008140683, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Feb 17 2016 | SecurityScorecard, Inc. | (assignment on the face of the patent) | / | |||
Feb 18 2016 | RASUMOV, NIKON | SECURITY SCORECARD, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 038423 | /0887 | |
Feb 18 2016 | RASUMOV, NIKON | SECURITYSCORECARD, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED AT REEL: 038423 FRAME: 0887 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 044222 | /0442 | |
Sep 17 2021 | SECURITYSCORECARD, INC | JPMORGAN CHASE BANK, N A | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 057514 | /0519 | |
Jun 06 2024 | JPMORGAN CHASE BANK, N A | SECURITYSCORECARD, INC | RELEASE BY SECURED PARTY SEE DOCUMENT FOR DETAILS | 068631 | /0463 | |
Jun 07 2024 | SECURITYSCORECARD, INC | FIRST-CITIZENS BANK & TRUST COMPANY | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 067711 | /0635 |
Date | Maintenance Fee Events |
Oct 05 2022 | M2551: Payment of Maintenance Fee, 4th Yr, Small Entity. |
Date | Maintenance Schedule |
Apr 23 2022 | 4 years fee payment window open |
Oct 23 2022 | 6 months grace period start (w surcharge) |
Apr 23 2023 | patent expiry (for year 4) |
Apr 23 2025 | 2 years to revive unintentionally abandoned end. (for year 4) |
Apr 23 2026 | 8 years fee payment window open |
Oct 23 2026 | 6 months grace period start (w surcharge) |
Apr 23 2027 | patent expiry (for year 8) |
Apr 23 2029 | 2 years to revive unintentionally abandoned end. (for year 8) |
Apr 23 2030 | 12 years fee payment window open |
Oct 23 2030 | 6 months grace period start (w surcharge) |
Apr 23 2031 | patent expiry (for year 12) |
Apr 23 2033 | 2 years to revive unintentionally abandoned end. (for year 12) |